Legal issues are very tricky, they change (some times dramatically) between different countries and jurisdictions. Even when there are clear laws and regulation (for example, privacy protection in the UK/EU), the penalties/fines are usually quite small, and the chances of 'getting caught' even lower. I am aware of some cases where violations were allegedly made, but the business did not seem to care, and in fact did not face any penalties as a result, or the penalties were small.
Placing 'illegal files' (whatever that may be), might or might not count as a legal breach, and might or might not carry any penalties. In some cases, it's enough to demonstrate that you deleted the files and put some better protection in place to avoid any penalty (that is, after 'being caught').
With that in mind, I think whilst on the face of it, legal risk may be a good way to emphasise why a company or organisation should protect its data. It might not be enough to make a convincing argument. Perhaps it's easier to find some other reasons (exposing financial details of the company, bad publicity or poor company image).
Of course, a lawyer in your country would advise you much better than I can. Especially if they specialise in these area (copyright, privacy, e-commerce etc)
and of course I forgot to mention that IANAL.